Op Ed: Addressing the Threat of Cryptomining Malware

One major class of attacks to hit the hacking landscape recently is cryptomining. While cryptomining on its own supports a good cause when being done consciously, it also allows nefarious actors to make a lot of money fast, and, with the sheer number of cryptocurrencies available to mine, it is becoming a popular choice for attackers.

The technique essentially involves an attacker taking advantage of another person’s computer and using its CPU power to mine for cryptocurrency. If the malware is configured to consume a large percentage of CPU power, it can prevent the CPU from doing other tasks and effectively deny the user access to the machine and its application.

The malware mining work is often done through mining pools, a collaborative framework which allows numerous “miners” to work together, thus increasing the amount of money the attackers can make collectively.

So what can organizations do to protect their systems against this attack?

Hitting the Target

Attackers try to exploit any publicly available interface that will allow them to carry out the attack. Such interfaces can include misconfigured services in the cloud like databases, caches, management tools like Kubernetes and more. For example, recent research from Imperva shows that 75 percent of Redis servers are infected with cryptomining malware.

Having said that, web servers remain the largest target for attacker, since they are meant to be public.In fact, cryptomining has grown so popular that, in the closing months of 2017, there was a surge in attacks, where researchers saw that 88 percent of all remote code execution attacks (RCE) sending requests to external sources were trying to download cryptomining malware on target machines.

To carry out cryptomining attacks, hackers will first look for an RCE vulnerability, which allows attackers to run arbitrary code on the vulnerable server. For example, a recent RCE vulnerability attackers used to mine cryptocurrency was related to insecure deserialization. In these types of vulnerabilities, attackers tampered with serialized objects that were sent to the web application. Then, after the object was deserialized, malicious code was run on the vulnerable server, which allowed the attacker to mine for cryptocurrency.

Cryptomining attackers use similar techniques to other attacks in terms of infection, evasion and persistency. However, in some cases, we see malware samples that try to maximize the attack, and their profit, either by spreading in the network through vulnerable devices or injecting code to the server that affects the end users.

In addition, cryptomining attacks can be a prelude to other kinds of malicious activity. If a server is infected, it usually means that it is vulnerable to some kind of a code injection. The same vulnerability that was exploited to infect the server with cryptomining malware can be reused to infect it with other malware or to launch further attacks on the attacker’s behalf. An infected end-point means that the attacker has gained a foothold in your internal network and that the attack can potentially spread to other machines in your organization.

Although bitcoin is probably the best-known and most popular cryptocurrency, attackers are not mining for bitcoin; this is not only because special hardware is required to mine for this coin, but also because bitcoin transactions are not private. This means that coins can be traced back along the transaction chain, which means attackers have a higher chance of getting caught.

As a result, attackers are instead increasingly mining for two types of coins: privacy-focused coins like Monero, and newer cryptocurrencies that require less specialized mining equipment. These alternative cryptocurrencies allow attackers to undertake transactions without the fear of it being traced back to them as an account balance cannot be seen, and the transaction does not reveal the sender, receiver or the amount transferred.

Protecting Against Cryptomining Attacks

To protect against cryptomining attacks, organization should try to reduce their attack surface as much as possible, limit public access to their assets whenever it is possible and enforce rigid authentication processes.

Cryptomining malware usually needs a lot of computing power, thus a simple detection can be achieved by monitoring the CPU for high consumption. However, some cryptomining attacks are programmed to work under the radar. They are specifically configured not to overload the CPU, thus making them more difficult to detect.

To protect against cryptomining attacks, organizations must first ensure their systems are fully up to date with all relevant patches. In order for cryptomining to be successful, attackers must first take advantage of a vulnerability. However, if an organization is up to date with all its patches, then this entry point is sealed.

As attackers are targeting RCE vulnerabilities in web applications to launch their malware, patching is crucial. By ensuring IT teams are fully aware of— and ensuring systems are up to date with — the latest vendor patches, these kinds of vulnerabilities can be mitigated.

Alternatively, virtual patching can also be utilized to actively protect web applications from attacks. This reduces the window of exposure and decreases the cost of emergency patches and fix cycles. A web application firewall that provides virtual patching doesn’t interfere with the normal application workflow and keeps the site protected while allowing the site owners to control the patching process timeline.

Taking Action

Illicit cryptomining is an effortless way for nefarious actors to make money as it slips under the radar of victims. Plus, it is lucrative. The attack itself is simple to mount and is rapidly overtaking ransomware in becoming the most prevalent attack vector. Although some see this type of attack as simply a nuisance, cryptomining has the potential to cause large scale “brownouts,” as computer infrastructures collapse when criminals fight for compromised systems to get their hands on cryptocurrencies.

This is a guest post by Nadav Avital, an application security research team leader at Imperva. Nadav has more than a dozen years of experience working in the computer and network security industry with strong technical skills in application security, hacking, operating systems (Linux and Windows), web architecture, Python and PHP. Views expressed are his own and do not necessarily reflect those of Bitcoin Magazine or BTC Media.